Retention & Disposition in the Cloud Do you really have control?

Transcription

1 InterPARES Trust Retention & Disposition in the Cloud Do you really have control? Franks Patricia, San Jose State University, San Jose, USA and Alan Doyle, University of British Columbia, Canada October 23, 2014 ICCSM 2014

2 Research Questions How does the use of cloud services affect our capability to retain and dispose of records in accordance with the law and other applicable guidelines? What can be done to mitigate any risks arising from the gaps between our ability to apply retention and disposition actions to manage records residing within the enterprise and those residing in the cloud?

3 to mitigate risk

4 Retention & Disposition Defined Retention is the continued possession, use, and control of the records that must be kept to meet administrative, fiscal, legal, or historical requirements. (ISO , p. 3) Disposition includes the range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments.

5 Retention & Disposition Obligations of the Organization Retention An organization shall retain its information for an appropriate time, taking into account all operational, legal, regulatory and fiscal requirements, and those of all relevant binding authorities. ~ARMA International, The Principles Disposition An organization shall provide secure and appropriate disposition for records that are no longer to be maintained by applicable laws and the organization s policies.

6 Not all info is equal Records and information created within the organization and transferred to a cloud vendor can be categorized and registered with a records management system before exiting the enterprise. Records and information generated in the cloud are under the physical control of a third party and must be captured after creation and then categorized and managed. Industries that produce big data e.g., transportation, utilities, and biosciences must capture and categorize information and records electronically and automatically (without human intervention to impose retention rules). Not all information in the cloud rises to the level of a record; however, the organization is still responsible for managing nonrecord content.

7 Nonrecords & ephemeral records A nonrecord is any document, device, or item, regardless of physical form or characteristic, created or received that does not serve to document the organization, functions, policies, decisions, procedures, operations, or other activities of the organization Nonrecords are termed ephemeral records by some organizations and included on a disposition authority, such as one developed by the Government of Western Australia. They have no continuing value, are generally only needed for a few hours or a few days, and may not need to be placed in the official recordkeeping system examples include mailing lists stored in cloud systems and rough drafts of reports held in file hosting services (storage utilities).

8 What does the Government of Australia say about Ephemeral Records? Such records may be destroyed once reference ceases, as specified in the General Disposal Authority for State Government Information and the General Disposal Authority for Local Government Records.

9 RETENTION & DISPOSITION SYSTEM REQUIREMENTS

10 Retention & Disposition System Requirements Record systems should be capable of facilitating and implementing decisions on the retention or disposition of records. It should be possible for these decisions to be made at any time in the existence of records, including during the design stage of records systems. It should also be possible, where appropriate, for disposition to be activated automatically. Systems should provide audit trails or other methods to track completed disposition actions (ISO , p. 10).

12 Questions to be asked/answered 1. Can retention periods be applied? 2. Can destruction actions be automated? 3. Can a disposition authority retention and disposition specifications be applied to aggregations of records? 4. Can records be retained indefinitely, destroyed at a future date, transferred at a future date? 5. Can records be deleted (including backups) according to the schedule?

13 Questions (cont.) 6. Are users alerted of conflicts related to links from records to be deleted to other records aggregations that have different records disposition requirements? 7. If more than one disposal authority is associated with an aggregation of records, can all retention requirements be tracked to allow the manual or automatic lock or freeze on the process (i.e., Freeze for litigation or legal discovery)? 8. Are disposal actions documented in process metadata? 9. Can all disposal actions be automatically recorded and reported to the administrator? 10. Can the system provide audit trails or other methods to track completed disposition actions (e.g., metadata, reports)

18 Forrester Consulting study Building for the Future: What the New World of Cloud IT Means for the Network (9/2013)

19

20

21 Short-term requirements Short-term records have a limited useful life and are retained only as long as needed for the primary purpose for which they were created; they have administrative (operational), legal (regulatory), and/or fiscal value. Organizations operating in heavily regulated industries, such as the Finance Industry, may receive guidance to help them manage records created when they utilize blogs, microblogs and social networking sites to reach out to current and prospective clients.

22 Ex. SaaS (Social Media) and FINRA Guidance The Finance Industry Regulatory Authority s FINRA Regulatory Notice 12-29, February 4, 2013, categorizes communications shared by the finance industry as retail communications since they are distributed or made available to more than twenty-five retail investors within a thirty calendar-day period. Social media communications fall in this category and are exempt from pre-use approval requirements; must be managed after posting; must comply with NASD Rule 2210(b)(4)(A) concerning recordkeeping requirements; and must be retained for a period of three years (two years on the premises). The Bottom Line: For business communications made via social media, even if only distributed internally, records must be kept. Most firms have chosen the "safe" route and capture all social media communications, similar to what is presently done for .

23 Short term requirements (cont.) Short-term records also include those generated dynamically by applications deployed in the cloud as a result of business transactions. This data can be downloaded to an enterprise content management system or managed within the cloud environment.

24 Business Process as a Service (BPaaS) -Salesforce

25 Is this really records management as you know it? blog.denwa.uk.com/ managing-recordssalesforce/

26 r Chatte

27 4.1 Short term requirements (cont.) Legal concerns related to internal operations include updating records schedules to reflect new records series resulting from cloud applications and implementing access policies for data hosted by third parties. External considerations that must be resolved include accepting only vendor Terms of Service Agreements (TSAs) and Service Level Agreements (SLAs) that are consistent with the organizations goals and objectives.

28 TSAs and SLAs - AWS as an example Analyst firms such as Gartner have declared the AWS service level agreements (SLA) useless. There have also been complaints that buying cloud services from AWS involves take it or leave it terms and conditions that do not fall down well with larger enterprises. (June 2013).

29 TSAs and SLAs - AWS 2014

30 Short term requirements (cont.) The elastic nature of the cloud and the free (e.g., social networks) or low-cost cloud services (file storage services) available make disposition appear less urgent. Unless the location of all electronic records is known and rules are in place to dispose of these records automatically, disposition actions may be haphazard. The routine destruction of records is essential to a defensible records management program, yet many institutions effectively never destroy electronic records.

32 Long term records issues and challenges Ability to maintain the integrity of the records over the long term, migrate records to new file formats and systems, and export the records and associated metadata to the enterprise for longterm or permanent preservation. Standardized metadata is essential for system interoperability; however, proprietary systems do not adhere to a standardized records management metadata schema.

33 Long term records issues and challenges Some archives not only protect their collections but also provide access for researchers and other interested parties. Providing access to digital collections in a cloud archive may be an added requirement when searching for a cloud preservation solution.

34

35

36 Long term records issues and challenges If a cloud preservation service is employed, the organization must be confident that the data is in the custody of a trusted provider that employs a preservation system that is compliant with the Open Archival Information System (OAIS) reference model and protected by a sound disaster recovery plan.

39 Building Trust Venter et al., discuss that C-levels often report concern about data security and integrity in multi-tenancy and distributed storage environments. Consequently there appears to be a trend when dealing with the retention and disposition of sensitive and highly confidential information to trust only a private cloud deployment (FregusonBoucher et al.; Viewpointe) or a hybrid configuration (Géczy et al.; HP), over public cloud models that are mostly associated with multi-tenancy and distributed data centers. Potential development of decision-modeling tools to aid in the cloud provider selection process and service agreement negotiations.

40 IN SUMMARY

41 The use of cloud services is driven by a desire to improve processes and reduce costs while retaining control. Records that are allowed to escape the control of records managers and records schedules are records that could cost the enterprise money, reputation, or even its survival.

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,

Executive of Distributed to Members of ARMA International February- March 2015 InterPARES Trust Research Project: Retention and Disposition in a Cloud Environment Principal investigator Dr. Patricia C.

Cloud Computing: Implications and Guidelines for Records Management in Kentucky State Government (Version 1.0 August 2012) Many information technology (IT) departments and resource allocators are considering

RECORDS AND INFORMATION MANAGEMENT AND RETENTION Policy The Health Science Center recognizes the need for orderly management and retrieval of all official records and a documented records retention and

Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after

State of Michigan Records Management Services Frequently Asked Questions About E mail Retention It is essential that government agencies manage their electronic mail (e mail) appropriately. Like all other

SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed

Fundamentals of Information Governance: More than just records management PETER KURILECZ CRM CA IGP Hard as I try, I simply cannot make myself understand how Information Governance isn t just a different

Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage

E-MAIL RETENTION BEST PRACTICE Issue Date: April 20, 2011 Intent and Purpose: The intent of this best practice is for county officials to have an educational mechanism to explain requirements for maintaining

Information Management Advice 18 Managing records in business systems Assessment tool: Measuring recordkeeping compliance in business systems Introduction Using this tool to identify and assess core business

Millions of Google Apps Users May be In Violation of Legal & Organizational Compliance Standards. Learn How To Avoid it. The problem More than 30 million users within businesses, government agencies, schools

Arizona State Library, Archives and Public Records RECORDS MANAGEMENT DIVISION 1919 West Jefferson Phoenix, Arizona 85009 (602) 542-3741 Managing Public Records Sent and Received Via Electronic Mail These

Generally Accepted Recordkeeping Principles Information Governance Maturity Model Information is one of the most vital strategic assets any organization possesses. Organizations depend on information to

IT Forum 2-11-2013 UW-Madison Records Management Program Records facilitate and sustaining day-to-day university operations. Records support organizational activities such as student admissions, research

PURPOSE Records and information are important strategic assets of an organization and, like other organizational assets (people, capital and technology), must be managed to maximize their value. Information

What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

E-mail Management: A Guide For Harvard Administrators E-mail is information transmitted or exchanged between a sender and a recipient by way of a system of connected computers. Although e-mail is considered

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society

Developing a Records Retention Program This site is intended to help you design and implement a records retention program for your organization. Here you will find a basic explanation of a records retention

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

1. Scope The City of Mount Gambier Records Management Policy provides the policy framework for Council to effectively fulfil its obligations and statutory requirements under the State Records Act 1997.

Is it okay to destroy the paper source records? Are there any exceptions? Strategies for Developing a Document Imaging & Electronic Retention Program How do we ensure the program will stand up in court?

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division Benjamin Young, Assistant General Counsel U.S. Department of Agriculture 1 Disclaimer The views expressed in this presentation

Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations

How to Choose a Cloud Backup Service Provider Why Should You Protect Your Data? Sooner or later - by mischief, misfortune or mistake - Odds are you will experience a data loss. Hardware failure, accidental

Whitepaper Jaya Arvind Krishna Mandira Shah Determining and implementing an IT strategy for any enterprise involves deliberating if current or new applications can be offered via the Cloud. The purpose

1. Introduction West Chester University is committed to effective records management to preserve its history, meet legal standards, optimize the use of space, minimize the cost of record retention, and

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies

Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

Discovery Technology Group E-mail Retention: Readiness Survey E-mail now represents the largest source of new documents and records generated within a company, and the most troublesome from a retention

State of Montana E-Mail Guidelines A Management Guide for the Retention of E-Mail Records for Montana State Government Published by the: Montana State Records Committee Helena, Montana September 2006 Based,

Legal Issues Associated with Cloud Computing Laurin H. Mills May 13, 2009 What Is Cloud Computing? The cloud is a metaphor for the Internet Leverages the connectivity of the Internet to optimize the utility

Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data

PAPER & BYTES: MANAGING OSU RECORDS POLICY, BEST PRACTICES, & RESOURCES FOR MANAGING OSU COLLEGE OF E&HE RECORDS WHERE WE ARE GOING THIS AFTERNOON Introductions 3 things to take away this afternoon What

E-Guide GARP and how it helps you achieve better information governance Sponsored By: E-Guide GARP and how it helps you achieve better information governance Table of Contents Resources from IBM Sponsored

A Strawman Model NIST Cloud Computing Reference Architecture and Taxonomy Working Group January 3, 2011 Objective Our objective is to define a neutral architecture consistent with NIST definition of cloud

How to Choose a Cloud Backup Service Provider List Products Implemented in File- Properties Why Should You Protect Your Data? Sooner or later - by mischief, misfortune or mistake - Odds are you will experience

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.segal@usitc.gov Reference

Scanning and Tossing Requirements for Scanning and the Destruction of Paper Based Records Overview I want to go paperless! Can I scan and toss? What are the rules and requirements about imaging? What are

Auditing Software as a Service (SaaS): Balancing Security with Performance Goals for Today Defining SaaS (Software as a Service) and its importance Identify your company's process for managing SaaS solutions